Canvas Breach 'Deal' With ShinyHunters, AI Zero-Day Warning, Checkmarx Hit Again

Jim Love

13 May 2026

Cybersecurity Today examines a troubling set of new security developments affecting schools, software supply chains, and account security. Instructure says it reached an "agreement" with the ShinyHunters threat group after the massive Canvas breach that may have affected up to 275 million users across 9,000 educational institutions. Reports indicate attackers exploited multiple cross-site scripting (XSS) vulnerabilities to hijack administrator sessions and post extortion demands. Checkmarx has been breached again. This time, attackers reportedly inserted a malicious Jenkins Application Security Testing (AST) plugin designed to steal credentials. The same threat actor, believed to be Team46/TeamTNT-linked infrastructure or Team PCP depending on reporting attribution, appears to have reused secrets allegedly stolen in the earlier Trivy supply-chain compromise. Microsoft and Google are warning organizations not to treat passkeys as a complete security solution. If weaker recovery methods or legacy credentials remain active, attackers can still bypass them. Google's Threat Intelligence Group also reports what it describes as the first observed evidence of hostile actors using AI to assist in zero-day vulnerability research and exploit development, signalling a new phase in attacker industrialization. Also in today's show: Santa Clara County sues Meta over alleged scam-ad profits. Chapters 00:00 Headlines Overview 00:28 Canvas Breach Deal Fallout 01:59 How the XSS Attack Worked 03:15 Checkmarx Supply Chain Attack 05:01 Credential Rotation Lessons 05:37 Why Passkeys Aren't Enough 07:19 Layered Defence Takeaways 08:35 AI-Assisted Zero-Day Development 10:10 Industrialized AI Threats 13:08 Meta Scam Ads Lawsuit 15:19 Wrap Up